Overview

overview

8

Static

static

3

ebfd53ae89...1e.exe

windows7-x64

8

ebfd53ae89...1e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ebfd53ae895e6020b4bb14ddfe6346ce35da6ba9f25ea398a3a30530d815671e.exe

  • Size

    11.1MB

  • MD5

    d6b171ebed01d2edd705fc21694e1a17

  • SHA1

    f381f4c78d0004227a0bc23e92c391736755fd82

  • SHA256

    ebfd53ae895e6020b4bb14ddfe6346ce35da6ba9f25ea398a3a30530d815671e

  • SHA512

    21f8b9a17b17b93c1b4e87339f076b690ff8f00a1164d7c77703d8668120cd014a4f39a66deeb3704dd84b762b5fa2e9a08593e00093f5b9a9a17c8c7eedc59b

  • SSDEEP

    98304:FdQb+0ChEPIGiq3y3vx+w9TbfjJ+kdfpK46Tle36jknz9Y:Fk+kIGv3y/x+KTbfjJ+kdnAlejY

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\ebfd53ae895e6020b4bb14ddfe6346ce35da6ba9f25ea398a3a30530d815671e.exe
        "C:\Users\Admin\AppData\Local\Temp\ebfd53ae895e6020b4bb14ddfe6346ce35da6ba9f25ea398a3a30530d815671e.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2596
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6D82.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Users\Admin\AppData\Local\Temp\ebfd53ae895e6020b4bb14ddfe6346ce35da6ba9f25ea398a3a30530d815671e.exe
            "C:\Users\Admin\AppData\Local\Temp\ebfd53ae895e6020b4bb14ddfe6346ce35da6ba9f25ea398a3a30530d815671e.exe"
            4⤵
            • Executes dropped EXE
            PID:1932
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2652
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:536
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      2cdd76dd992ef0cd93f573e846b3f778

      SHA1

      0fd4590f2fc73dab415c222d4ff9303100e74f48

      SHA256

      4182538cd5781ff36b5e9db53150091f127c2ccc5ab72e4a42a37e816b8b4b53

      SHA512

      6ff881bcb507e0988a2b014e63645a614f30a389b00efd5985bc72a73910bda15786871351252c992370000defd32188a03623230d1af36e2a24376b2e817797

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      23c2c932165e28ab0bc8488daa561473

      SHA1

      f6852391374e72097387d9af721c0aef807a2ff0

      SHA256

      d10031fa711a530bdcdb77da251ae1098ba91f9bc62f0b9d7ba92214980a71fa

      SHA512

      3f0026e56feaca95434050e7125bd9e275e0d4038d513abde516708c32c5a490a7afe1ea951da3866961e39c8c5e2e02c38c2507ba47d98964298b473f0d9f1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a6D82.bat
      Filesize

      722B

      MD5

      cf8744a618971097679b7dc9b0128a5c

      SHA1

      07aaa54b0b04e3bab4906a9babb7d648019a1329

      SHA256

      98c96fead7974dd40d5650dba52f0cea9821e67db7bc78c6f680bc4062d12ecd

      SHA512

      d2f3b1f6ec6c068c4ecc1a73a0600b014e56d3420382dba6cccd2ebe92a065d5cde5064c789f0d9a407dedf2d2e095a4e898c18abdae2f90cda116ea4c9f4a47

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ebfd53ae895e6020b4bb14ddfe6346ce35da6ba9f25ea398a3a30530d815671e.exe.exe
      Filesize

      11.0MB

      MD5

      b45b7bd6eb92c5b65378d8d0a0964747

      SHA1

      5ca6f198ac83c90496110259b57ff4a5f47b64bb

      SHA256

      5f1d9218f9735a763ffecc47c7b6f0c342b7f1a5da835733e0b3b73903f864a0

      SHA512

      bde39c4b6d04caae8280bdd53e6036c53ed394a72f0d4d1273c149175570e8a87f87c8963869c96834fef7e82893da38c49ce4aaa1851e65c055dbbcac7c1708

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      f5c94181f5f26317205c1ee19f9f192e

      SHA1

      2dca61560721870ac1329f1bd3f61af68080051d

      SHA256

      981a18bcd06092fac40945e1cec8b5a74fe5fda11e4d0e3b8198b975acd4cea2

      SHA512

      61670e82d4fd63e4bb55b1a322d1cc7e29e23ccac294a81a97e0a606462e840cebeeb31b8691c3296242f1102c2819e9ad0a5124afb45430ddccfb1b8b234f37

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini
      Filesize

      9B

      MD5

      e02899454c67c7d6d1af854fdcb53b67

      SHA1

      26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

      SHA256

      0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

      SHA512

      e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

      Download Submit

    • memory/1200-30-0x0000000002560000-0x0000000002561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2616-33-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2616-2962-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2616-4155-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2820-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2820-16-0x0000000000240000-0x000000000027E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2820-18-0x0000000000240000-0x000000000027E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2820-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download